ACME errors with docker

Bytecounter · October 24, 2021, 8:10am

Hi,
it seems that I still have a problem of understanding traefik configuration. When creating a new service by the docker provider I've got some acme errors:

HTTP challenge is not enabled" entryPointName=web routerName=acme-http@internal
It is enabled, but for websecure; web should work without SSL.

the router bookstack@docker uses a non-existent resolver: letsencrypt"
I think the resolver letsencrypt is defined in my static configuration?

the router websecure-bookstack@docker uses a non-existent resolver: letsencrypt
Same as above?

Info: I replaced my origin domainname by "mydomain.net"

My static traefik configuration:

log:
    level: DEBUG
    
api:
    insecure: true
    dashboard: true

entryPoints:
    web:
        address: :80
    websecure:
        address: :443
        http:
            tls:
                certResolver: letsencrypt
                domains:
                    - main: "bookstack.mydomain.net"
                    - sans:
                        - "*.mydomain.net"
                        - "*.lxsrv02.mydomain.net"

providers:
    docker:
        exposedbydefault: false

certificatesResolvers:
    letsencrypt:
        acme:
            email: my-email@mydomain.de
            storage: /etc/traefik/acme/acme.json
            httpChallenge:
                entryPoint: web
            caserver: https://acme-staging-v02.api.letsencrypt.org/directory

On pastebin: config.yaml - Pastebin.com

The docker labels:

    --name bookstack-app
    --label traefik.enable=true \
    --label traefik.http.services.bookstack.loadbalancer.server.port=80 \
    --label traefik.http.services.bookstack.loadbalancer.server.url="bookstack-app" \
    --label traefik.http.routers.bookstack.service=bookstack \
    --label traefik.http.routers.bookstack.entrypoints[0]=websecure \
    --label "traefik.http.routers.bookstack.rule=Host(\"bookstack.mydomain.net\")" \
    --label traefik.http.routers.bookstack.tls.certresolver=letsencrypt \
    --label traefik.http.routers.bookstack.tls.domains[0].main=bookstack.mydomain.net \
    --label "traefik.http.routers.bookstack.tls.domains[0].sans=*.mydomain.net" \

Complete traefik log:

time="2021-10-24T07:45:16Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"bookstack\":{\"service\":\"bookstack\",\"rule\":\"Host(\\\"bookstack.mydomain.net\\\")\",\"tls\":{\"certResolver\":\"letsencrypt\",\"domains\":[{\"main\":\"lxsrv02.mydomain.net\",\"sans\":[\"*.mydomain.net\"]}]}}},\"services\":{\"bookstack\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.9:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2021-10-24T07:45:16Z" level=debug msg="No entryPoint defined for this router, using the default one(s) instead: [web websecure]" routerName=bookstack
time="2021-10-24T07:45:16Z" level=error msg="HTTP challenge is not enabled" entryPointName=web routerName=acme-http@internal
time="2021-10-24T07:45:16Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-10-24T07:45:16Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareType=TracingForwarder routerName=api@internal entryPointName=traefik middlewareName=tracing
time="2021-10-24T07:45:16Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" entryPointName=traefik routerName=dashboard@internal middlewareName=tracing middlewareType=TracingForwarder
time="2021-10-24T07:45:16Z" level=debug msg="Creating middleware" middlewareType=StripPrefix entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
time="2021-10-24T07:45:16Z" level=debug msg="Adding tracing to middleware" routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal entryPointName=traefik
time="2021-10-24T07:45:16Z" level=debug msg="Creating middleware" routerName=dashboard@internal entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
time="2021-10-24T07:45:16Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" middlewareType=RedirectRegex routerName=dashboard@internal entryPointName=traefik middlewareName=dashboard_redirect@internal
time="2021-10-24T07:45:16Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2021-10-24T07:45:16Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-10-24T07:45:16Z" level=debug msg="Creating middleware" serviceName=bookstack middlewareName=pipelining middlewareType=Pipelining entryPointName=websecure routerName=websecure-bookstack@docker
time="2021-10-24T07:45:16Z" level=debug msg="Creating load-balancer" entryPointName=websecure routerName=websecure-bookstack@docker serviceName=bookstack
time="2021-10-24T07:45:16Z" level=debug msg="Creating server 0 http://10.0.1.9:80" serviceName=bookstack entryPointName=websecure routerName=websecure-bookstack@docker serverName=0
time="2021-10-24T07:45:16Z" level=debug msg="Added outgoing tracing middleware bookstack" middlewareType=TracingForwarder entryPointName=websecure routerName=websecure-bookstack@docker middlewareName=tracing
time="2021-10-24T07:45:16Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-10-24T07:45:16Z" level=debug msg="Creating middleware" middlewareName=pipelining middlewareType=Pipelining routerName=bookstack@docker serviceName=bookstack entryPointName=web
time="2021-10-24T07:45:16Z" level=debug msg="Creating load-balancer" routerName=bookstack@docker serviceName=bookstack entryPointName=web
time="2021-10-24T07:45:16Z" level=debug msg="Creating server 0 http://10.0.1.9:80" serverName=0 serviceName=bookstack entryPointName=web routerName=bookstack@docker
time="2021-10-24T07:45:16Z" level=debug msg="Added outgoing tracing middleware bookstack" entryPointName=web routerName=bookstack@docker middlewareName=tracing middlewareType=TracingForwarder
time="2021-10-24T07:45:16Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=web middlewareName=traefik-internal-recovery
time="2021-10-24T07:45:16Z" level=debug msg="No default certificate, generating one"
time="2021-10-24T07:45:16Z" level=debug msg="No default certificate, generating one"
time="2021-10-24T07:45:17Z" level=debug msg="Adding route for bookstack.mydomain.net with TLS options default" entryPointName=web
time="2021-10-24T07:45:17Z" level=debug msg="Adding route for bookstack.mydomain.net with TLS options default" entryPointName=websecure
time="2021-10-24T07:45:17Z" level=error msg="the router bookstack@docker uses a non-existent resolver: letsencrypt"
time="2021-10-24T07:45:17Z" level=error msg="the router websecure-bookstack@docker uses a non-existent resolver: letsencrypt"

What are my mistakes?

Have a nice day!
Bytecounter

wollomatic · October 24, 2021, 4:24pm

@Bytecounter,

i didn't check the complete configuration, but here are a few thoughts:

For the use of wildcard certificates you need to use the DNS challenge.
I think the domain names belong to the dynamic configuration

If you want, you are welcome to look at my docker-compose+traefik+letsencrypt sample configuration on github. This worked for me:

(in your case, you could replace the tlsChallenge in traefik.yaml with dnsChallenge. There you need to add a special configuration that works with your provider, see here: Let's Encrypt - Traefik

Regards,
Wolfgang

Bytecounter · October 24, 2021, 6:05pm

Thank's for this information, Wolfgang.
It makes sense that wildcard certificate requests needs the dnsChallange.
Currently I didn't need a wildcard certificate, so I replaced the wildcard by an explicit subdomain . But still same errors

Regards,
Bytecounter

Bytecounter · October 25, 2021, 2:19pm

Problem found..it wasn't the service behind. It was a file permission problem. On startup traefik grumbles:
level=error msg="The ACME resolver "letsencrypt" is skipped from the resolvers list because: unable to get ACME account: permissions 750 for /etc/traefik/acme/acme.json are too open, please use 600"

The problem: the file is touched by traefik itself, but it seems, that it inherit the permissions from the parent directory. After I change the permissions of this directory, SSL works..no I've a bad gateway error but this might have another cause.

system · October 28, 2021, 2:20pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SSL not working Traefik v2 docker , letsencrypt-acme	1	5035	February 6, 2021
Cannot get ACME client ACME challenge not specified Traefik v2 letsencrypt-acme	5	6051	October 21, 2020
Unable to obtain ACME certificate despite setting challenge Traefik v1 docker , letsencrypt-acme	1	4816	July 18, 2019
Letsencrypt acme ends in 404 Traefik v2 docker-swarm , letsencrypt-acme	4	4996	February 10, 2021
Traefik + Docker + Let's Encrypt Traefik v2 docker , letsencrypt-acme	4	812	April 6, 2021

ACME errors with docker

Related topics